File name:

WeGameMiniLoader.std.5.12.21.1022.exe

Full analysis: https://app.any.run/tasks/bbe13f1c-9dbc-4701-9008-a47b236aa2b1
Verdict: Malicious activity
Analysis date: July 13, 2024, 22:02:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qrcode
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2C337EC80626CE49CA4380EAD23AEDF6

SHA1:

A840D90EFE74A00DAEC2B4470F09A4836E23F308

SHA256:

5BA8182417D0F72FF509B22C0E20110D856321F754E69B7F299D497D73704BB3

SSDEEP:

98304:6eYdOmsTpn0v+Ae1YDYW5HRKvSbRqba2pbc8ul+kWh0QxpI4SRzm9mL/fwGF6uOh:xtBYnawVQcqy2P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)

    • Process drops legitimate windows executable

      • TinyDL.exe (PID: 3124)

    • Drops a system driver (possible attempt to evade defenses)

      • TinyDL.exe (PID: 3124)

    • The process drops C-runtime libraries

      • TinyDL.exe (PID: 3124)

    • The process creates files with name similar to system file names

      • TinyDL.exe (PID: 3124)

    • Drops 7-zip archiver for unpacking

      • TinyDL.exe (PID: 3124)

  • INFO

    • Checks supported languages

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Reads the computer name

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Creates files or folders in the user directory

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Creates files in the program directory

      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Reads the machine GUID from the registry

      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Create files in a temporary directory

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)

    • Manual execution by a user

      • explorer.exe (PID: 3080)
      • explorer.exe (PID: 324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:11:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27648
InitializedDataSize: 122880
UninitializedDataSize: 1024
EntryPoint: 0x396c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.12.21.1022
ProductVersionNumber: 5.12.21.1022
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Windows, Chinese (Simplified)
Comments: -
CompanyName: Tencent
FileDescription: -
FileVersion: 5.12.21.1022
LegalCopyright: -
LegalTrademarks: -
ProductName: WeGame
ProductVersion: 5.12.21.1022
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wegameminiloader.std.5.12.21.1022.exe wegameminiloader.exe tinydl.exe explorer.exe no specs explorer.exe no specs wegameminiloader.std.5.12.21.1022.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2748"C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe" C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe
WeGameMiniLoader.std.5.12.21.1022.exe
User:
admin
Integrity Level:
HIGH
Description:
WeGame下载器
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\wegame\wegameminiloader(55555)\wegameminiloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3080"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3124session=1 uid=0 parent="C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe"C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\tiny_dl\TinyDL.exe
WeGameMiniLoader.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Version:
1.0.3.0
Modules
Images
c:\users\admin\appdata\local\wegame\wegameminiloader(55555)\tiny_dl\tinydl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
3208"C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe" C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\temp\wegameminiloader.std.5.12.21.1022.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3392"C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe" C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\temp\wegameminiloader.std.5.12.21.1022.exe
c:\windows\system32\ntdll.dll
Total events
3 519
Read events
3 519
Write events
0
Delete events
0

Modification events

No data
Executable files
653
Suspicious files
260
Text files
863
Unknown types
1

Dropped files

PID
Process
Filename
Type
3124TinyDL.exeC:\Program Files\WeGame\qbblinktrial\libcef.dll
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\data\json_db\base_game_oss.local
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\data\client_ui.vfs
MD5:
SHA256:
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\Temp\nsfEA7D.tmp\NSISPlugin.dllexecutable
MD5:362EDDF4162293770BCFF8FA9BFABB7F
SHA256:F2B73BA3CA42DD9097727F6E0AABFA63B566C2D78BE0D41791D72C6D16240D78
3124TinyDL.exeC:\Program Files\WeGame\tpf_ui.vfs
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\apps\Pallas\lolguide\LOLRes.vfs
MD5:
SHA256:
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exeexecutable
MD5:77159A76C4B8BDAEF68E936D9AAD6732
SHA256:C6FD4A9A35C2EA4CEFA54524F88BC488712AB20059AE58B9E83FFDBFA5DA0AEA
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\tiny_dl\signature.datbinary
MD5:74E2FFC3824F444096F95DEC37F162F3
SHA256:6A82710DC240C4DDC576E4CABF4DB9719ED78EDD02C1428E7A13D1306F97E0A2
3124TinyDL.exeC:\Program Files\WeGame\wgcore.dllexecutable
MD5:340EE8D7BDD0924CE1C7B983D4F76879
SHA256:824345DE59717A1ED363530BECC133285577359DF6189F9744446E45755E2818
3124TinyDL.exeC:\Program Files\WeGame\tiny_cache\Game_55555.local-journalbinary
MD5:5D62B601DB9E454420AAD54B830291C7
SHA256:DF9091C833F65E424B9FE6003407A2F05E68293A8B3F90D27D4472FEDCBB6A74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3 059
TCP/UDP connections
26
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/manifest/10974_3198251187778410138_0.wgj
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/b2/b227c06ba70bf6f69ac36364c4e58ae18d5df22258c3ea3739462886f4f66b06.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/46/46a8c93c85cb8b8c68f3a4bb54086276d884409c5cf323c50094218299882956.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/bc/bcfca5c4280707efa2606b74335b175ab834f547e50bd1cda28dc46dee9b9cd2.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/de/de83d2c6c07dd4f7e9702ea38cbee93b304d7947eda8265a71f8c3b80e405c26.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/6f/6f6ef7179a02d7923b400b3fda9c90369b97fb54be8d9ce13792958249f289ca.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/73/733aa8390cf2ff33f6f00d51528151187497c76f95950e19471995bc89d09be2.wgc
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2748
WeGameMiniLoader.exe
116.130.229.213:8000
ied-tqos.qq.com
unknown
2748
WeGameMiniLoader.exe
49.51.20.228:443
www.wegame.com.cn
Tencent Building, Kejizhongyi Avenue
CA
unknown
3124
TinyDL.exe
49.51.20.228:443
www.wegame.com.cn
Tencent Building, Kejizhongyi Avenue
CA
unknown
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
ied-tqos.qq.com
  • 116.130.229.213
whitelisted
www.wegame.com.cn
  • 49.51.20.228
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
down.qq.com
  • 43.152.29.15
  • 43.152.29.20
  • 43.152.137.29
whitelisted

Threats

No threats detected
Process
Message
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] TQos Server Address: , Port: 0, TQos ID: 0
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] Create TQos API Handle Error: tqos_get_qosconnd_iplist fail
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] TQos Server Address: , Port: 0, TQos ID: 0
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] Create TQos API Handle Error: tqos_get_qosconnd_iplist fail
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WeGameMiniLoader.std.5.12.21.1022.exe